Sixty percent of them said, “No.” As the Senate vote on the controversial Cybersecurity Act gets closer, it is sobering to realize that the majority of security professionals do not believe it will achieve its stated intention.
But it’s not surprising. There is a similar reaction in the UK to the proposed Communications Bill. Backbench MP David Davis commented, “I took advice from experts. I asked them a simple question: ‘If you were a terrorist, how would you avoid this scrutiny?’ I stopped them when they got to the fifth method. It is pretty straightforward: for terrorists, everything from proxy servers to one-off mobile phones means that such scrutiny is easy to avoid.”
It’s not limited to these two new proposed laws. In the UK, security professionals at Infosecurity Europe 2012 were asked by Sophos to comment on their opinion on the Data Protection Act and the Information Commissioners Office. Less than half of the respondents cited legislation as an incentive towards improving data security; and 22% didn’t think the legal obligations were at all clear. This is despite the ICO’s own view, voiced in his subsequent annual report, “the ICO is well up to the task... the ICO has bared its teeth... It’s a case of ‘wake up and smell the CMP!’ [civil monetary penalty, or fine] ...the regulator is getting results.”
In the UK, Ollie Hart, head of public sector at Sophos, puts it down to “a severe disconnect in the expectations that the Government has for organisations to comply with data protection legislation.”
In the US, Lamar Bailey, director of security research and development for nCircle, says, “It’s not surprising that IT security professionals think government regulation won’t improve critical infrastructure security as Congress doesn’t seem to have the technical expertise to craft laws that address critical infrastructure security.”
| Lawmakers clearly need a better understanding of both business and security before they rush into new laws |